Quest: instant questionnaire collection from handshake messages using WLAN

A common approach for questionnaire collection is to set up a WLAN and respondents submit answers via specific apps or a web browser. However, much unnecessary background traffic is incurred once a device connects to Wi-Fi, consuming limited airtime and constraining the number of simultaneous connections. In this paper, we show that connection is not necessary, since the handshake messages themselves can carry answers. We propose Quest, an alternative questionnaire collection system that requires neither Internet access nor a stable connection. Quest sets up a password-protected Wi-Fi network to which respondents connect using any smart device with a Wi-Fi module and type their answers as passwords. Quest then retrieves the answers from the handshake messages. However, the answers are sent in hashed form instead of plain text; thus, recovery of answers from handshake messages, i.e., password cracking, is time-consuming, leading to a long delay. Quest employs three techniques to address the challenge. First, Quest restricts the types of questions to closed-ended ones, reducing the set of possible answers. Second, Quest precomputes an offline dictionary to speed up the cracking process. Third, we prove that, in our problem, it is sufficient to consider the first 128 bits of a key, instead of the entire 384 bits in the standard. Thus, Quest only checks the first 128 bits of a key. These techniques reduce the worst-case per-user cracking time from several minutes to a few seconds on a laptop computer. We implement Quest in commodity-off-the-shelf hardware and evaluate it in a real-world environment.